CVE-2024-51144 in Ampache
Summary
by MITRE • 03/05/2025
Cross Site Request Forgery (CSRF) vulnerability exists in the 'pvmsg.php?action=add_message', pvmsg.php?action=confirm_delete , and ajax.server.php?page=user&action=flip_follow endpoints in Ampache <= 6.6.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/30/2025
The Cross Site Request Forgery vulnerability identified as CVE-2024-51144 affects Ampache version 6.6.0 and earlier, presenting a critical security risk to web applications that utilize this media library management system. This vulnerability manifests across three specific endpoints within the application's architecture, namely pvmsg.php?action=add_message, pvmsg.php?action=confirm_delete, and ajax.server.php?page=user&action=flip_follow. The flaw allows attackers to manipulate authenticated users into performing unintended actions without their knowledge or consent, exploiting the fundamental weakness in the application's request validation mechanisms.
The technical implementation of this CSRF vulnerability stems from the absence of proper anti-CSRF token validation in the affected endpoints. When users navigate to malicious websites or click on compromised links while authenticated to Ampache, attackers can craft requests that exploit the trust relationship between the user's browser and the application server. The vulnerability specifically targets endpoints that handle message creation, deletion confirmation, and user following toggling operations, all of which involve state-changing actions that should require explicit user authorization. This weakness falls under CWE-352, which defines Cross-Site Request Forgery as a security vulnerability that allows an attacker to induce users to perform actions they did not intend to perform.
The operational impact of this vulnerability extends beyond simple data manipulation, potentially enabling attackers to execute a range of malicious activities within the compromised user's context. An attacker could leverage this vulnerability to send unauthorized messages, delete user content, or modify user preferences and following relationships. The implications are particularly severe in collaborative environments where users may have administrative privileges or access to sensitive media libraries. The vulnerability's exploitation does not require authentication credentials from the attacker's perspective, as the malicious requests are executed within the authenticated user's browser session, making it particularly dangerous in environments where users frequently access applications from shared or public computers.
The attack vector for this CSRF vulnerability typically involves social engineering techniques where users are tricked into visiting malicious websites that contain embedded requests to the vulnerable Ampache endpoints. These attacks often occur through phishing campaigns, compromised advertisements, or malicious links shared via communication channels. The vulnerability's presence in the AJAX-based user interaction endpoints makes it particularly challenging to detect and prevent, as these requests may appear legitimate to the user's browser while being generated by malicious third parties. According to ATT&CK framework category T1566, this vulnerability aligns with the technique of "Phishing" and potentially "Spearphishing via Service" when attackers leverage the application's legitimate user interaction capabilities for malicious purposes.
Mitigation strategies for this vulnerability should include immediate implementation of anti-CSRF token mechanisms across all state-changing endpoints within the Ampache application. The solution requires generating unique, unpredictable tokens for each user session and validating these tokens on every request that modifies application state. Organizations should also implement proper referer header validation and utilize SameSite cookie attributes to prevent unauthorized cross-site requests. The most effective remediation involves upgrading to Ampache version 6.6.1 or later, where this vulnerability has been addressed through proper token validation mechanisms. Additionally, implementing Content Security Policy headers and educating users about the risks of visiting untrusted websites can significantly reduce the attack surface and potential impact of such CSRF attacks.